Canarys | IT Services


Authorize access to VSTS REST APIs with OAuth 2.0


Here in this blog we will discuss how can we implement OAuth authentication to VSTS REST API’s using access Token.

Authenticate your web app's users to access the REST APIs so that your app doesn't have to keep asking for their usernames and passwords. Visual Studio Team Services uses the OAuth 2.0 protocol to authorize your app for a user and generate an access token. Use this token when you call the REST APIs from your app.

Below are the steps we need to carry out to get the Access token

  • Register your app
  • Authorise your app
  • Get access and refresh token for the use
  • Use the access token
  • Refresh an expired access token



                                     Figure: Token based authentication for VSTS REST APIs

Let us discuss each step-in detail:

1.Register your app:

Here is the URL to register your app

There are three categories of information it requires while registering the app as follows.

Company information:


Application information:


Authorised scope:

User should make sure that he must select the scopes that your application needs, and then use the exact same scopes when you authorize your app

Example for scopes are as follows:


After selecting required scopes for the application, user have to click on the create application button. After successful creation of the application user will get the  information as shown below:


Once the user successfully register app he must call the authorization URL and pass app ID and authorized scopes when he wants to have a user authorize his app to access his/her Visual Studio Team Services account. You'll call the access token URL when you want to get an access token to call a Visual Studio Team Services REST API.

2.Authorize your app:

To authorize the registered app, user must call the authorization URL as below:{appID}&response_type=Assertion &state={state} &scope={scope}&redirect_uri={callback URL}

here is the C# code to authorize the application

public ActionResult Verify()


string url = "{0} &response_type=Assertion&state=User1&scope=vso.dashboards_managevso.project_managevso.work_write&redirect_uri={1}";

string redirectUrl = System.Configuration.ConfigurationManager.AppSettings["RedirectUri"];

string clientId = System.Configuration.ConfigurationManager.AppSettings["ClientId"];

url = string.Format(url, clientId, redirectUrl);

return Redirect(url);


We are reading Client id and RedirectUri from the AppSetting part of web.config file where the values are stored.

When you call Visual Studio Team Services to ask for a user's authorization, and the user grants it, Visual Studio Team Services will redirect the user's browser to your authorization callback URL with the authorization code for that authorization. The callback URL must be a secure connection (https) to transfer the code back to the app. It must exactly match the URL registered in your app. If it doesn't, a 400 error page is displayed instead of a page asking the user to grant authorization to your app.     

Visual Studio Team Services will ask the user to authorize your app.

Once the user accepts, Team Services will redirect the user's browser to your callback URL, including a short-lived authorization code and the state value provided in the authorization URL: ?code={authorization code} &state=User1

3.Get access token and refresh token using authorization code:

Now use the authorization code to request an access token (and refresh token) for the user.


Request header

Content-Type: application/x-www-form-urlencoded

Content-Length: 1322

HTTP request body


below is the C# code to get access token and refresh token:




Leave a Reply

Your email address will not be published. Required fields are marked *

Reach Us

With Canarys,
Let’s Plan. Grow. Strive. Succeed.